Retrieve additional alert details - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

You can access additional information relating to an alert.

To easily access additional information relating to an alert:

  1. From the Alerts page, locate the alert for which you want to retrieve information.

  2. Right-click anywhere in the alert, and select one of the following options:

    • Retrieve Additional Data: Cortex XDR can provide related files and additional analysis of the memory contents when an exploit protection module raises an alert.

      Notice

      This option requires the XTH add-on to be enabled.

      For tenants without XTH, select Get Causlity Data to analyze additional data.

      • Select Retrieve alert data and analyze to retrieve alert data consisting of the memory contents at the time the alert was raised. You can also enable Cortex XDR to automatically retrieve alert data for every relevant alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from the Action Center (pivot to view Additional data). When the analysis is complete, it displays the verdict in the Advanced Analysis field.

      • Select Retrieve related files To further examine files that are involved in an alert, you can request the agent send them to the Cortex XDR tenant. If multiple files are involved, the tenant supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.

    • Retrieve related files: To further examine files that are involved in an alert, you can request the agent send them to the Cortex XDR tenant. If multiple files are involved, the tenant supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.

    • (For PAN NGFW source type alerts) Download triggering packet: Download the session PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP, you can download the file from the Alerts table, Incident, or Causality view.

  3. Navigate to ResponseAction Center to view the retrieval status.

  4. Download the retrieved files locally.

    In the Action Center, wait for the data retrieval action to complete successfully. Then, right-click the action row and select Additional Data. From the Detailed Results view, right-click the row and select Download Files. A ZIP folder with the retrieved data is downloaded locally.

    Tip

    If you require assistance from Palo Alto Networks support to investigate the alert, ensure to provide the downloaded ZIP file.